Effortless encryption with Let's Encrypt and DuckDNS

I actually was in the middle of writing a guide for Caddy on my blog. You can see that here.

Nabucasa :slight_smile:





This is a long thread and I spent a couple hours following it and trying various suggestions, but I’m stuck. Can anyone provide a few more troubleshooting tips (sorry if I may have missed the key post above - I’m not very adept at networking).

Here’s what I’ve tried:

  • followed all instructions for setting up duckdns
  • I set up port forwarding from 8123 to 8123 on my home router
  • I can access through my internal network as long as precede the network name by ‘https://’
  • I can successfully ping mydomain.duckdns.org from my command line
  • I can successfully ping my external ip from my command line (ping xx.xx.xx.xxx)
  • I cannot get the a webpage to load at the expected duckdns address (with or without the trailing :8123)

[post 1 of 2]

[post 2 of 2 - sorry! as a new user I couldn’t post it all together]

I stumbled across this blog post which suggested using nginx to avoid the need for https on the internal network.

Here’s what I did:
  • I removed the lines in my configuration.yml file specifying the base_url
  • I added the nginx plugin
  • I can access HA through my internal network without https
  • I cannot get the a webpage to load at the expected duckdns address (with or without the trailing :8123)

Additional info:

  • I don’t see any errors in the HA system log
  • pinging my local IP works (ping 192.168.0.xxx)

Are there any other intermediate steps I can try to troubleshoot to figure out where the problem is? Is it possible that my router is blocking incoming traffic (I’m on comcast/xfinity). How would I know if this were the case?

I also tried typing my public IP in a browser https followed by 98.247.xx.xxx:8123 under the assumption that that should bypass the need for duckdns (at least temporarily, until my IP changed). But that doesn’t work either (browser returns " This site can’t be reached"). Is that another clue that the problem might lie with my router?


My best suggestion is outlined in : -

It works! The issue seems to have been that I cannot access the external address through my internal network.

When I turn off wifi on my cellphone, I can access HA through either http://mydomain.duckdns.org:8123 OR http://<my_public_ip>:8123. (though https doesn’t work).

It’s probably been working all along. I just didn’t think to try accessing it from an external network. Is it expected behavior that my internal network would be blocking requests in this way? Maybe I missed (or just didn’t understand) that somewhere in the documentation. Or is this some peculiarity of my network settings?

In any case, hopefully this can be useful to others. Thanks for the help!

It may well be that your modem does not support hairpin nat
ie it asks duckdns for the address which is revealed as itself but it won’t talk to itself.
If you employ the full instructions you can do local and full external

I just submitted a PR which adds some info to the documentation describing the potential ‘hairpinning’ issue (which is new to me). That would have saved me hours!

You may have a point but this issue is both widely known and often discussed on the forum.
You should have come across it in your searches regarding remote access.

Ah, ok. Feel free to close without merging if it’s not useful. Thanks again for the help.

No, you missed this, others may too.
I hope you elucidated the point and instructions accordingly
I wish you luck with your request :+1:

BTW you shouldn’t use letsencrypt, the required letsencrypt components are included in the duckdns addon

If I have the DuckDNS and Let’s Encrypt add-on up and running, and I access my HA server from outside my home network via my external IP address + port (like https://XXX.XX.XX.XXX:8123) will it still be encrypted?

no because the certificate is for the domain not an ip address

I have the Hass.io image installed on a Pi 4
I have been using the letsencrypt add-on for some time without issue. It has decided not to renew this time. I do not use DuckDNS. I have no-IP set up on my router for dynamic dns.
Here is my config

email: [email protected]
  - xxxxxxx.xxxxxx.xxx
certfile: fullchain.pem
keyfile: [email protected]
challenge: http
dns: {}

I have deleted the pem files
I have uninstalled and re-installed the add-on
The thing that has changed in the meantime is my router.
Home Assistant has been working with the router, but I have not been through a renewal
This is my setup
Annotation 2020-03-02 113419
I have commented out the http settings in configuration.yaml.
When I click ‘Start’ the button spins and then briefly turns red before coming back to its normal state
There is nothing showing in the add-on log
The pem files are not created
I suspect the port 80 access, but how can I test it?
The port forwarding work for the 8123 as I have been using mydomain:8123 to access Home Assistant.
I am really stuck here!

By being outside your lan and checking it from there.

Well I get a 404 Not Found on port 80. So I guess the request is getting through.

I finally solved this by completely changing how I do it.
I used this excellent guide - https://help.konnected.io/support/solutions/articles/32000023964-set-up-hass-io-with-secure-remote-access-using-duckdns-and-nginx-proxy
Port forwarding is just 80 -> 80 and 443 -> 443. No messing with 8123.
Just followed all the steps and it worked like a charm. We’ll see what happens at renewal time!

1 Like

Not sure if this applies in your case, as I use duckdns and nginx but I only forward port 443 to 443.
No other ports exposed. And it renews certs seemlessly.

@Mutt, care to explain step by step how you did it ?